date:20121010

Re: Moving from type forward to type static-stub

2012-10-10 Thread Matus UHLAR - fantomas


On 20.09.12 19:49, Oscar Ricardo Silva wrote:
The current servers are configured to forward any queries for our 
domain straight to our authoritative servers:


I've been reading about the new zone type:  static-stub  and believe 
this may work better for us.


If I'm correct, it will send non-recursive queries to the listed 
servers and will honor delegations. I've tested this configuration in 
our lab and it all appears to be working.


With our configuration, are there any downsides to changing from 
forward zones to static-stub?  Any gotchas I should know about?  At 
this time we don't have dnssec validation turned on.  We tried it and 
had too many problems with misconfigured domains not resolving 
properly so backed out.


typo forward supports forward first which is good if you have e.g. local
versions of blacklists but want to use standard resolution when your local
servers are unreachable.
 
--

Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Improved SSL Error Logging [RT #29932]

2012-10-10 Thread Evan Hunt


 BIND 9.7.7, 9.8.4 and 9.9.2 have improved OpenSSL error logging.
 Unfortunately, our logs are now filling up with RSA_verify failed
 messages.

Yeah, oops, we made that one too noisy.  You're not the first one
who's noticed. :/

 How does one go about tracking down the source of these failures and
 correcting them? (We are running OpenSSL 1.0.1c.)

In BIND9, in lib/dns/opensslrsa_link.c, change this:

return (dst__openssl_toresult2(RSA_verify,
   DST_R_VERIFYFAILURE));

to this:

return (dst__openssl_toresult(DST_R_VERIFYFAILURE));

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query (cache) 'domain.com/AAAA/IN' denied

2012-10-10 Thread kalin







On 10/10/12 9:41 PM, Árni Birgisson wrote:

You have all those allow-*, but in your previous email you have
recursion no; which you would have to change to recursion yes;.

When you have done this, make sure to restrict it with the allow-recursion
so you do not have an open resolver.


thanks to you too  but same result.


options {
version ;
directory   /etc/namedb;
pid-file/var/run/named/pid;
dump-file   /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;

allow-query-cache { any; };
allow-query { any; };
recursion yes;
// allow-recursion { any; }


allow-transfer  {
127.0.0.1;
};

};


# dig @ns2.  domain.com

;  DiG 9.4.2  @ns2  domain.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;domain.com.IN  A

;; Query t

i actually have another machine that has bind 9.4.2 and it works as 
desired without all this options. both machines a meant to be 
authoritative for domain.com...



anything else i can try?




thanks...





-- Arni


- Original Message -
From: kalin ka...@el.net
To: Lyle Giese l...@lcrcomputer.net
Cc: bind-users@lists.isc.org
Sent: Thursday, October 11, 2012 1:34:24 AM
Subject: Re: query (cache) 'domain.com//IN' denied



On 10/10/12 9:17 PM, Lyle Giese wrote:

On 10/10/12 20:01, kalin wrote:


hi all...

# uname -a
NetBSD ns2. 5.1 NetBSD 5.1  ...

# named -v
BIND 9.5.2-P2

i get these in the log:

Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
(cache) 'domain.net//IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
(cache) 'domain.net//IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
(cache) 'domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
(cache) 'domain.org/A/IN' denied

.


all the domain.net, .org, .com above exist. if i do a dig off a local
machine they resolve fine. if the dig is out of this network i get a
log entry as above.

at this point the named.conf has:

options {
 version ha-ha-ha;
 directory   /etc/namedb;
 pid-file/var/run/named/pid;
 dump-file   /var/dump/named_dump.db;
 statistics-file /var/stats/named.stats;


 allow-query-cache { any; };
 allow-query { any; };
 recursion no;


 allow-transfer  {
 127.0.0.1;
 };

   };


i'm not sure where to look next   this machine is on a verizon
fios if that really makes any difference...


where should i look?


thanks

These are queries that require recursion and you have that turned off.
If you don't want a publicly abused dns server, turn recursion on and
restrict recursion to your LAN addresses(Allow-recursion).


thanks..  but not good.

now i have:

 allow-query-cache { any; };
  allow-query { any; };
  allow-recursion { any; }

and still those logs. a dig from the outside gets refused...







Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query (cache) 'domain.com/AAAA/IN' denied

2012-10-10 Thread Lyle Giese


On 10/10/12 20:52, kalin wrote:






On 10/10/12 9:41 PM, Árni Birgisson wrote:

You have all those allow-*, but in your previous email you have
recursion no; which you would have to change to recursion yes;.

When you have done this, make sure to restrict it with the 
allow-recursion

so you do not have an open resolver.


thanks to you too  but same result.


options {
version ;
directory   /etc/namedb;
pid-file/var/run/named/pid;
dump-file   /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;

allow-query-cache { any; };
allow-query { any; };
recursion yes;
// allow-recursion { any; }


allow-transfer  {
127.0.0.1;
};

};


# dig @ns2.  domain.com

;  DiG 9.4.2  @ns2  domain.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;domain.com.INA

;; Query t

i actually have another machine that has bind 9.4.2 and it works as 
desired without all this options. both machines a meant to be 
authoritative for domain.com...



anything else i can try?




thanks...





-- Arni


- Original Message -
From: kalin ka...@el.net
To: Lyle Giese l...@lcrcomputer.net
Cc: bind-users@lists.isc.org
Sent: Thursday, October 11, 2012 1:34:24 AM
Subject: Re: query (cache) 'domain.com//IN' denied



On 10/10/12 9:17 PM, Lyle Giese wrote:

On 10/10/12 20:01, kalin wrote:


hi all...

# uname -a
NetBSD ns2. 5.1 NetBSD 5.1  ...

# named -v
BIND 9.5.2-P2

i get these in the log:

Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
(cache) 'domain.net//IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
(cache) 'domain.net//IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
(cache) 'domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
(cache) 'domain.org/A/IN' denied

.


all the domain.net, .org, .com above exist. if i do a dig off a local
machine they resolve fine. if the dig is out of this network i get a
log entry as above.

at this point the named.conf has:

options {
 version ha-ha-ha;
 directory   /etc/namedb;
 pid-file/var/run/named/pid;
 dump-file   /var/dump/named_dump.db;
 statistics-file /var/stats/named.stats;


 allow-query-cache { any; };
 allow-query { any; };
 recursion no;


 allow-transfer  {
 127.0.0.1;
 };

   };


i'm not sure where to look next   this machine is on a verizon
fios if that really makes any difference...


where should i look?


thanks

These are queries that require recursion and you have that turned off.
If you don't want a publicly abused dns server, turn recursion on and
restrict recursion to your LAN addresses(Allow-recursion).


thanks..  but not good.

now i have:

 allow-query-cache { any; };
  allow-query { any; };
  allow-recursion { any; }

and still those logs. a dig from the outside gets refused...







Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Maybe silly question, but after you changed your named.conf, did you 
restart named?


Are there any other named.conf on your system?  (your named may be 
reading a different named.conf other than the one you are editing.)


Lyle Giese

Re: query (cache) 'domain.com/AAAA/IN' denied

2012-10-10 Thread Mark Andrews


Make sure you are editing the named.conf named is using.  Change
the version string, reload the server and check that the version
reported matches what is in named.conf.

If that doesn't identify/fix the problem post, to the list, the
complete named.conf along with any included files (x out the tsig
secrets) and a list of the zones the server is supposed to serve.
Problems like this are almost always the result of something simple
that is hidden because people are scared to post the full named.conf
so they post a overly redacted version.  The only thing that really
needs to be redacted are the shared secrets.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: query (cache) 'domain.com/AAAA/IN' denied

2012-10-10 Thread kalin






On 10/10/12 10:17 PM, Lyle Giese wrote:

On 10/10/12 20:52, kalin wrote:






On 10/10/12 9:41 PM, Árni Birgisson wrote:

You have all those allow-*, but in your previous email you have
recursion no; which you would have to change to recursion yes;.

When you have done this, make sure to restrict it with the
allow-recursion
so you do not have an open resolver.


thanks to you too  but same result.


options {
version ;
directory   /etc/namedb;
pid-file/var/run/named/pid;
dump-file   /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;

allow-query-cache { any; };
allow-query { any; };
recursion yes;
// allow-recursion { any; }


allow-transfer  {
127.0.0.1;
};

};


# dig @ns2.  domain.com

;  DiG 9.4.2  @ns2  domain.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;domain.com.INA

;; Query t

i actually have another machine that has bind 9.4.2 and it works as
desired without all this options. both machines a meant to be
authoritative for domain.com...


anything else i can try?




thanks...





-- Arni


- Original Message -
From: kalin ka...@el.net
To: Lyle Giese l...@lcrcomputer.net
Cc: bind-users@lists.isc.org
Sent: Thursday, October 11, 2012 1:34:24 AM
Subject: Re: query (cache) 'domain.com//IN' denied



On 10/10/12 9:17 PM, Lyle Giese wrote:

On 10/10/12 20:01, kalin wrote:


hi all...

# uname -a
NetBSD ns2. 5.1 NetBSD 5.1  ...

# named -v
BIND 9.5.2-P2

i get these in the log:

Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
(cache) 'domain.net//IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
(cache) 'domain.net//IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
(cache) 'domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
(cache) 'domain.org/A/IN' denied

.


all the domain.net, .org, .com above exist. if i do a dig off a local
machine they resolve fine. if the dig is out of this network i get a
log entry as above.

at this point the named.conf has:

options {
 version ha-ha-ha;
 directory   /etc/namedb;
 pid-file/var/run/named/pid;
 dump-file   /var/dump/named_dump.db;
 statistics-file /var/stats/named.stats;


 allow-query-cache { any; };
 allow-query { any; };
 recursion no;


 allow-transfer  {
 127.0.0.1;
 };

   };


i'm not sure where to look next   this machine is on a verizon
fios if that really makes any difference...


where should i look?


thanks

These are queries that require recursion and you have that turned off.
If you don't want a publicly abused dns server, turn recursion on and
restrict recursion to your LAN addresses(Allow-recursion).


thanks..  but not good.

now i have:

 allow-query-cache { any; };
  allow-query { any; };
  allow-recursion { any; }

and still those logs. a dig from the outside gets refused...







Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Maybe silly question, but after you changed your named.conf, did you
restart named?


yea. via /etc/rc.d/named stop|start checked with ps that is not really 
running.




Are there any other named.conf

Re: query (cache) 'domain.com/AAAA/IN' denied

2012-10-10 Thread Chris Buxton

On Oct 10, 2012, at 7:22 PM, kalin wrote:

 if i add a zone record to the named.conf i'm editing and do a dig on it, 
 locally i get it fine:
 
 $ dig @ns2. domain.com
 
 ;  DiG 9.8.1-P1  @ns2. domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52275
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

No you don't. You're getting it from the other computer. No 'aa' flag.

Your zone is not loading for some reason.

The reason it works locally and not remotely is, the local query is in the 
default allow-recursion ACL, but the remote host is not.

The recursion settings are a red herring. Solve the missing 'aa' flag.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Moving from type forward to type static-stub

Re: Improved SSL Error Logging [RT #29932]

Re: query (cache) 'domain.com/AAAA/IN' denied

Re: query (cache) 'domain.com/AAAA/IN' denied

Re: query (cache) 'domain.com/AAAA/IN' denied

Re: query (cache) 'domain.com/AAAA/IN' denied

Re: query (cache) 'domain.com/AAAA/IN' denied

7 matches

Site Navigation

Mail list logo

Footer information